Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autoscaler chart is missing some rules #4114

Closed
phenixdotnet opened this issue Jun 3, 2021 · 4 comments · Fixed by #4154
Closed

Autoscaler chart is missing some rules #4114

phenixdotnet opened this issue Jun 3, 2021 · 4 comments · Fixed by #4154
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@phenixdotnet
Copy link

Which component are you using?:
Cluster Autoscaler Helm chart

What version of the component are you using?:
Latest

What k8s version are you using (kubectl version)?:
v1.20.4-eks-6b7464 & v1.19.6-eks-49a6c0

What environment is this in?:
EKS on AWS

What did you expect to happen?:
Autoscaler can access to all required resource in the cluster or doesn't try to access to unneeded resources

What happened instead?:
cluster-autoscaler logs report a permission denied when trying to access to some csi related resources:

k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.CSIDriver: failed to list *v1.CSIDriver: csidrivers.storage.k8s.io is forbidden: User "system:serviceaccount:REDACTED:REDACTED-cluster-autoscaler" cannot list resource "csidrivers" in API group "storage.k8s.io" at the cluster scope

and for csistoragecapacities

How to reproduce it (as minimally and precisely as possible):
Launch cluster-autoscaler from the helm chart with service account and RBAC enabled

Anything else we need to know?:
We fixed it by changing the cluster role from:

- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - csinodes
  verbs:
  - watch
  - list
  - get

to

- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - csinodes
  - csidrivers
  - csistoragecapacities
  verbs:
  - watch
  - list
  - get

But I'm not sure this change is the best/correct as I don't know the minimum permissions required for csidrivers and csistoragecapacities
@phenixdotnet phenixdotnet added the kind/bug Categorizes issue or PR as related to a bug. label Jun 3, 2021
@phenixdotnet phenixdotnet changed the title Autoscaler chart is missing some roles Autoscaler chart is missing some rules Jun 3, 2021
@liwandaniel
Copy link

liwandaniel commented Jun 6, 2021
edited
Loading

Any solutions to solve this problem?I got this error too

@phenixdotnet
Copy link
Author

@liwandaniel : You can "just" edit the cluster role used by autoscaler to add the missing rules.

@MarcusNoble MarcusNoble mentioned this issue Jun 21, 2021
Merged
@jtcarnes
Copy link

@MarcusNoble didnt see your MR, created the exact same one myself, #4159

@jtcarnes jtcarnes mentioned this issue Jun 22, 2021
Closed
@james-callahan
Copy link

This is still missing from e.g. https://github.com/kubernetes/autoscaler/blob/23fdf63bfc7a1129e9cf0cbc512dc30f56420af3/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml

@DmitriyStoyanov DmitriyStoyanov mentioned this issue Aug 13, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add missing RBAC permissions to autoscaler chart
4 participants
@phenixdotnet @liwandaniel @james-callahan @jtcarnes